What’s wrong with my username and password?
Typical online authentication requires a username and a password – this is something a user has to know.
These can be (and are frequently) written down, shared with other people or leaked from hacked sites to the world by malicious third parties..
Users will often setup the same username and password with multiple online services. This is super-convenient because they only have to remember one set of credentials, but if those credentials get leaked, hackers will have access to all services where that set of credentials have been used.
This could be your mailbox, your social media accounts, online shops, dating sites (!) etc. and once an attacker has access to your mailbox, they can use the “forgot password” function of any website to reset your password and control your account.
To remedy all this, you can add an additional layer of security called Two Factor Authentication (2FA), sometimes called Multi Factor Authentication (MFA).
What is Multi Factor Authentication?
This is so-called because it adds an additional factor to the authentication process. In additional to what a user knows (their username and password), it adds the requirements of something a user has.
MFA requires a physical device to deliver you a security “token” to enter alongside your username and password. This is typically a 6 to 8 digit number or sometimes a random text string. Here are some ways a code can be made available to you:
- Via text message (SMS). You’ll be sent a unique code to your mobile phone.
- Via a phone call. You’ll be called and an automated voice will read out a code to you.
- Via an email. You’ll receive a message in your inbox that contains a code.
- Via a hardware token. You’ll have a “fob” that continuously displays an ever-changing code.
- Via a software token. You’ll have an app on your smartphone, tablet or computer which generates a continuously changing code – just like a hardware token.
Who supports MFA?
Not all online services, support MFA… but a growing number do. twofactorauth.org is a really useful site that tries to keep an up-to-date list of services that do offer MFA, and if they don’t, it (rather cheekily) provides a link to the service’s twitter page so you can ask them to.
For sites that support Software Tokens, I’d like to recommend an solution called Authy. This is a free system that has the following benefits:
- It’s cloud-based. This means everything’s stored centrally and backed-up for you in case you lose your device.
- It runs on multiple platforms including desktop, tablet, smartphone and smartwatch. This means you’re not limited to only having a single code-generator.
- It’s password protected and can use the biometric authentication offered by laptops, tablets and smartphones.
- It supports different types of code generators .
- Although it’s a cloud-based service, the code generator works offline.
- It supports three different type of security token including:
- OTP (One-Time Passcode)
- Soft token TOTP (Time-based One-time Passwords)
- Push Authentication